+2020/10/07 - 3.0.3 build 2
+
+-- appid: Create events for client user name, id and login success
+-- appid: Inform third-party about snort's idle state during reload
+-- appid: Reload detector patterns on reload_config for the sake of hyperscan
+-- appid: Update appid to use instance based reload tuner
+-- binder: Allow binding based on address spaces
+-- binder: Allow directional binding based on interfaces
+-- binder: Enforce directionality, add intfs, rename groups, cleanup
+-- framework: Update packet constraints comparison to check only set fields
+-- host_tracker: Update host tracker to use instance based reload tuner
+-- http2_inspect: Fix frame padding handling
+-- http2_inspect: Free up HI flow data when we are finished with it
+-- http2_inspect: Stream state tracking
+-- http_inspect: Implement can_start_tls(), add support of ssl search abandoned event
+-- http_inspect: Support for custom xff type headers
+-- main: Change reload memcap framework to use object instances
+-- main: Remove deprecated rule_state module
+-- main: Update host attribute class to use instance based reload tuner
+-- normalizer: Move TTL configuration toggle to inspector configure()
+-- perf_monitor: Update perf monitor to use instance based reload tuner
+-- policy: Copy uuid, user_policy_id, and policy_mode when an inspection policy is cloned
+-- pop: Generate alert for unknown command if file policy is attached.
+-- port_scan: Update port scan to use instance based reload tuner
+-- rna: Add event_time to rna logger events
+-- rna: Add payload discovery logic
+-- rna: Check user-agent processor early to skip some work
+-- rna: Port host type discovery logic
+-- rna: Set the thread local fingerprint processors during reload_config
+-- rna: Update rna to use instance based reload tuner
+-- rna: Update methods for user-agent processor
+-- rna: User discovery for successful login
+-- snort2lua: Convert rule_state into ips.states
+-- stream_tcp: Update trace messages to use trace framework
+-- stream: Update stream to use instance based reload tuner
+-- trace: Update parser unit tests
+-- wizard: Clean up parameter parsing and make it a bit stricter
+
2020/09/23 - 3.0.3 build 1
-- ac_bnfa: Disable broken fail state reduction
The Snort Team
Revision History
-Revision 3.0.3 (Build 1) 2020-09-23 11:56:23 EDT TST
+Revision 3.0.3 (Build 2) 2020-10-07 13:11:06 EDT TST
---------------------------------------------------------------------
2.24. profiler
2.25. rate_filter
2.26. references
- 2.27. rule_state
- 2.28. search_engine
- 2.29. side_channel
- 2.30. snort
- 2.31. suppress
- 2.32. trace
+ 2.27. search_engine
+ 2.28. side_channel
+ 2.29. snort
+ 2.30. suppress
+ 2.31. trace
3. Codec Modules
* string references[].url: where this reference is defined
-2.27. rule_state
-
---------------
-
-Help: enable/disable and set actions for specific IPS rules;
-deprecated, use rule state stubs with enable instead
-
-Type: basic
-
-Usage: detect
-
-Configuration:
-
- * enum rule_state.$gid_sid[].action = alert: apply action if rule
- matches or inherit from rule definition { log | pass | alert |
- drop | block | reset }
- * enum rule_state.$gid_sid[].enable = inherit: enable or disable
- rule in current ips policy or use default defined by ips policy {
- no | yes | inherit }
-
-
-2.28. search_engine
+2.27. search_engine
--------------
* search_engine.searched_bytes: total bytes searched (sum)
-2.29. side_channel
+2.28. side_channel
--------------
* side_channel.packets: total packets (sum)
-2.30. snort
+2.29. snort
--------------
failed due to attribute table full (sum)
-2.31. suppress
+2.30. suppress
--------------
according to track
-2.32. trace
+2.31. trace
--------------
logging { 0:255 }
* int trace.modules.detection.tag: enable tag trace logging { 0:255
}
+ * int trace.modules.dpx.all: enable all trace options { 0:255 }
* int trace.modules.gtp_inspect.all: enable all trace options {
0:255 }
* int trace.modules.latency.all: enable all trace options { 0:255 }
* int trace.modules.stream.all: enable all trace options { 0:255 }
* int trace.modules.stream_ip.all: enable all trace options { 0:255
}
+ * int trace.modules.stream_tcp.all: enable all trace options {
+ 0:255 }
+ * int trace.modules.stream_tcp.segments: enable stream TCP segments
+ trace logging { 0:255 }
+ * int trace.modules.stream_tcp.state: enable stream TCP state trace
+ logging { 0:255 }
* int trace.modules.stream_user.all: enable all trace options {
0:255 }
* int trace.modules.wizard.all: enable all trace options { 0:255 }
Configuration:
- * int binder[].when.ips_policy_id = 0: unique ID for selection of
- this config by external logic { 0:max32 }
- * bit_list binder[].when.ifaces: list of interface indices { 255 }
+ * int binder[].when.ips_policy_id: unique ID for selection of this
+ config by external logic { 0:max32 }
* bit_list binder[].when.vlans: list of VLAN IDs { 4095 }
* addr_list binder[].when.nets: list of networks
* addr_list binder[].when.src_nets: list of source networks
* bit_list binder[].when.src_ports: list of source ports { 65535 }
* bit_list binder[].when.dst_ports: list of destination ports {
65535 }
- * bit_list binder[].when.zones: zones { 63 }
- * bit_list binder[].when.src_zone: source zone { 63 }
- * bit_list binder[].when.dst_zone: destination zone { 63 }
+ * string binder[].when.intfs: list of interface IDs
+ * string binder[].when.src_intfs: list of source interface IDs
+ * string binder[].when.dst_intfs: list of destination interface IDs
+ * string binder[].when.groups: list of interface group IDs
+ * string binder[].when.src_groups: list of source interface group
+ IDs
+ * string binder[].when.dst_groups: list of destination group IDs
+ * string binder[].when.addr_spaces: list of address space IDs
* enum binder[].when.role = any: use the given configuration on one
or any end of a session { client | server | any }
* string binder[].when.service: override default configuration
+ * string binder[].when.zones: deprecated alias for groups
+ * string binder[].when.src_zone: deprecated alias for src_groups
+ * string binder[].when.dst_zone: deprecated alias for dst_groups
* enum binder[].use.action = inspect: what to do with matching
traffic { reset | block | allow | inspect }
* string binder[].use.file: use configuration in given file
Peg counts:
- * binder.packets: initial bindings (sum)
- * binder.resets: reset bindings (sum)
- * binder.blocks: block bindings (sum)
- * binder.allows: allow bindings (sum)
- * binder.inspects: inspect bindings (sum)
+ * binder.new_flows: new flows evaluated (sum)
+ * binder.service_changes: flow service changes evaluated (sum)
+ * binder.assistant_inspectors: flow assistant inspector requests
+ handled (sum)
+ * binder.new_standby_flows: new HA flows evaluated (sum)
+ * binder.no_match: binding evaluations that had no matches (sum)
+ * binder.resets: reset actions bound (sum)
+ * binder.blocks: block actions bound (sum)
+ * binder.allows: allow actions bound (sum)
+ * binder.inspects: inspect actions bound (sum)
5.6. cip
* 121:17 (http2_inspect) HTTP/2 pseudo-header after regular header
* 121:18 (http2_inspect) HTTP/2 pseudo-header in trailers
* 121:19 (http2_inspect) invalid HTTP/2 pseudo-header
+ * 121:20 (http2_inspect) HTTP/2 trailers without END_STREAM bit
+ * 121:21 (http2_inspect) padding flag set on invalid HTTP/2 frame
+ type
+ * 121:22 (http2_inspect) padding flag set on HTTP/2 frame with zero
+ length
Peg counts:
normalizing URIs
* bool http_inspect.simplify_path = true: reduce URI directory path
to simplest form
+ * string http_inspect.xff_headers = x-forwarded-for true-client-ip:
+ specifies the xff type headers to parse and consider in the same
+ order of preference as defined
Rules:
* http_inspect.parameters: HTTP parameters inspected (sum)
* http_inspect.connect_tunnel_cutovers: CONNECT tunnel flow
cutovers to wizard (sum)
+ * http_inspect.ssl_srch_abandoned_early: total SSL search abandoned
+ too soon (sum)
5.25. imap
* string binder[].use.service: override automatic service
identification
* string binder[].use.type: select module for binding
+ * string binder[].when.addr_spaces: list of address space IDs
+ * string binder[].when.dst_groups: list of destination group IDs
+ * string binder[].when.dst_intfs: list of destination interface IDs
* addr_list binder[].when.dst_nets: list of destination networks
* bit_list binder[].when.dst_ports: list of destination ports {
65535 }
- * bit_list binder[].when.dst_zone: destination zone { 63 }
- * bit_list binder[].when.ifaces: list of interface indices { 255 }
- * int binder[].when.ips_policy_id = 0: unique ID for selection of
- this config by external logic { 0:max32 }
+ * string binder[].when.dst_zone: deprecated alias for dst_groups
+ * string binder[].when.groups: list of interface group IDs
+ * string binder[].when.intfs: list of interface IDs
+ * int binder[].when.ips_policy_id: unique ID for selection of this
+ config by external logic { 0:max32 }
* addr_list binder[].when.nets: list of networks
* bit_list binder[].when.ports: list of ports { 65535 }
* enum binder[].when.proto: protocol { any | ip | icmp | tcp | udp
* enum binder[].when.role = any: use the given configuration on one
or any end of a session { client | server | any }
* string binder[].when.service: override default configuration
+ * string binder[].when.src_groups: list of source interface group
+ IDs
+ * string binder[].when.src_intfs: list of source interface IDs
* addr_list binder[].when.src_nets: list of source networks
* bit_list binder[].when.src_ports: list of source ports { 65535 }
- * bit_list binder[].when.src_zone: source zone { 63 }
+ * string binder[].when.src_zone: deprecated alias for src_groups
* bit_list binder[].when.vlans: list of VLAN IDs { 4095 }
- * bit_list binder[].when.zones: zones { 63 }
+ * string binder[].when.zones: deprecated alias for groups
* interval bufferlen.~range: check that total length of current
buffer is in given range { 0:65535 }
* implied bufferlen.relative: use remaining length (from current
encoded
* bool http_inspect.utf8 = true: normalize 2-byte and 3-byte UTF-8
characters to a single byte
+ * string http_inspect.xff_headers = x-forwarded-for true-client-ip:
+ specifies the xff type headers to parse and consider in the same
+ order of preference as defined
* implied http_method.with_body: parts of this rule examine HTTP
message body
* implied http_method.with_header: this rule is limited to
* int rpc.~app: application number { 0:max32 }
* string rpc.~proc: procedure number or * for any
* string rpc.~ver: version number or * for any
- * enum rule_state.$gid_sid[].action = alert: apply action if rule
- matches or inherit from rule definition { log | pass | alert |
- drop | block | reset }
- * enum rule_state.$gid_sid[].enable = inherit: enable or disable
- rule in current ips policy or use default defined by ips policy {
- no | yes | inherit }
* string s7commplus_func.~: function code to match
* string s7commplus_opcode.~: opcode code to match
* string sd_pattern.~pattern: The pattern to search for
trace logging { 0:255 }
* int trace.modules.detection.tag: enable tag trace logging { 0:255
}
+ * int trace.modules.dpx.all: enable all trace options { 0:255 }
* int trace.modules.gtp_inspect.all: enable all trace options {
0:255 }
* int trace.modules.latency.all: enable all trace options { 0:255 }
* int trace.modules.stream.all: enable all trace options { 0:255 }
* int trace.modules.stream_ip.all: enable all trace options { 0:255
}
+ * int trace.modules.stream_tcp.all: enable all trace options {
+ 0:255 }
+ * int trace.modules.stream_tcp.segments: enable stream TCP segments
+ trace logging { 0:255 }
+ * int trace.modules.stream_tcp.state: enable stream TCP state trace
+ logging { 0:255 }
* int trace.modules.stream_user.all: enable all trace options {
0:255 }
* int trace.modules.wizard.all: enable all trace options { 0:255 }
third-party module is reloaded (sum)
* arp_spoof.packets: total packets (sum)
* back_orifice.packets: total packets (sum)
- * binder.allows: allow bindings (sum)
- * binder.blocks: block bindings (sum)
- * binder.inspects: inspect bindings (sum)
- * binder.packets: initial bindings (sum)
- * binder.resets: reset bindings (sum)
+ * binder.allows: allow actions bound (sum)
+ * binder.assistant_inspectors: flow assistant inspector requests
+ handled (sum)
+ * binder.blocks: block actions bound (sum)
+ * binder.inspects: inspect actions bound (sum)
+ * binder.new_flows: new flows evaluated (sum)
+ * binder.new_standby_flows: new HA flows evaluated (sum)
+ * binder.no_match: binding evaluations that had no matches (sum)
+ * binder.resets: reset actions bound (sum)
+ * binder.service_changes: flow service changes evaluated (sum)
* cip.concurrent_sessions: total concurrent SIP sessions (now)
* cip.max_concurrent_sessions: maximum concurrent SIP sessions
(max)
messages (sum)
* http_inspect.script_detections: early inspections of scripts in
HTTP responses (sum)
+ * http_inspect.ssl_srch_abandoned_early: total SSL search abandoned
+ too soon (sum)
* http_inspect.trace_requests: TRACE requests inspected (sum)
* http_inspect.uri_coding: URIs with character coding problems
(sum)
* 121:17 (http2_inspect) HTTP/2 pseudo-header after regular header
* 121:18 (http2_inspect) HTTP/2 pseudo-header in trailers
* 121:19 (http2_inspect) invalid HTTP/2 pseudo-header
+ * 121:20 (http2_inspect) HTTP/2 trailers without END_STREAM bit
+ * 121:21 (http2_inspect) padding flag set on invalid HTTP/2 frame
+ type
+ * 121:22 (http2_inspect) padding flag set on HTTP/2 frame with zero
+ length
* 122:1 (port_scan) TCP portscan
* 122:2 (port_scan) TCP decoy portscan
* 122:3 (port_scan) TCP portsweep
fingerprinting (experimental)
* rpc (ips_option): rule option to check SUNRPC CALL parameters
* rpc_decode (inspector): RPC inspector
- * rule_state (basic): enable/disable and set actions for specific
- IPS rules; deprecated, use rule state stubs with enable instead
* s7commplus (inspector): s7commplus inspection
* s7commplus_content (ips_option): rule option to set cursor to
s7commplus content
The Snort Team
Revision History
-Revision 3.0.3 (Build 1) 2020-09-23 11:56:13 EDT TST
+Revision 3.0.3 (Build 2) 2020-10-07 13:10:58 EDT TST
---------------------------------------------------------------------
by a *. Used for unquoted, comma-separated lists such as service
and metadata.
* The snort module has command line options starting with a -.
- * $ denotes variable names, eg rule_state.$gid_sid which would be
- used like rule_state["1:23456"] = { }.
+ * $ denotes variable names.
Some additional details to note:
replaces consecutive whitespaces with a single space and normalizes
the plus by concatenating the strings.
-5.10.2.9. URI processing
+5.10.2.9. xff_headers
+
+This configuration supports defining custom x-forwarded-for type
+headers. In a multi-vendor world, it is quite possible that the
+header name carrying the original client IP could be vendor-specific.
+This is due to the absence of standardization which would otherwise
+standardize the header name. In such a scenario, this configuration
+provides a way with which such headers can be introduced to HI. The
+default value of this configuration is "x-forwarded-for
+true-client-ip". The default definition introduces the two commonly
+known headers and is preferred in the same order by the inspector as
+they are defined, e.g "x-forwarded-for" will be preferred than
+"true-client-ip" if both headers are present in the stream. The
+header names should be delimited by a space.
+
+5.10.2.10. URI processing
Normalization and inspection of the URI in the HTTP request message
is a key aspect of what http_inspect does. The best way to normalize
This provides the original IP address of the client sending the
request as it was stored by a proxy in the request message headers.
-Specifically it is the last IP address listed in the X-Forwarded-For
-or True-Client-IP header. If both headers are present the former is
-used.
+Specifically it is the last IP address listed in the X-Forwarded-For,
+True-Client-IP or any other custom x-forwarded-for type header. If
+multiple headers are present the preference defined in xff_headers
+configuration is considered.
5.10.4.6. http_client_body
projects / thirdparty / snort3.git / commitdiff
